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(54) Digital signature generating/verifying method and system using public key encryption 



(57) A digital signature generating/verifying method 
using a public key encryption scheme which ensures 
high security, reduction in length of the digital signature 
and independency of the length of the digital signature 
on that the order of a base point. In generating a digital 
signature, a first hash value (e) satisfying a condition 
that e = H(M) is determined for a given message (M) by 
using a hash function (H), a numerical value (x) is 
obtained from translation of a random number, a hash 
value (r) satisfying a condition that r = h(x) is determined 
by using a hash function (h) whose output value is 
shorter than that of the first hash function (H), and the 
digital signature is generated by using the hash values 
(e) and (r) as determined. For verification of an inputted 
digital signature, the hash value (e) satisfying the condi- 
tion that e a H(M) is determined, and for a numerical 
value (x) obtained from arithmetic operation of a public 
key (Q), a base point (P) and the inputted digital signa- 
ture (r, s), a hash value (0 satisfying a condition that r' 
= h(x) on the basis of the hash value (e), the digital sig- 
nature (r, s), the base point (P) and the public key (Q) by 
using a hash function (h) whose output value is shorter 
than that of the first hash function (H). The hash value 
(0 is then compared with a tally (r) of the inputted digital 
signature to thereby verify the inputted digital signature. 



FIG. I 



no. 



USER A*. ISSUED 
POCUMEHT 



USER B'. ISSUED 
DOCUMENT 



109 



111- 



USER A i 
SK3NATURE 
(n*i> 



USER B's % 
COMMENT (Mil. 



USERS Am AND B'e 
SK3NATURE 
(n/tJii) 



115 
114 



r 
s 



113 
112 



105^ 


ALl 


105^ 


ALl' 




ALl 






107^ 


AU 






117^ 


BASE v 
PONT CP) 


m > 


BASE 
POtNT(P) 


122 ^ 


BASE 
POffT(P) 


11B^ 


PRIVATE 
KEY (dt) 


120^ 


PUBLIC 
KEY(Qi) 


123 ^ 


PUBUC 
KEY(Qi) 






™> 
103^ 


PUBLIC 
KEYUz) 


IM^. 


PUBLIC 
KEV(Qt) 












Primed by Xerox (UK) Business Services 



EP0B40478A2 



Description 

BACKGROUND OF THE INVENTION 

5 The present invention relates to a method and a system for generating and/or verifying a digital signature by using 
a public key encryption method for securing the security in a computer network. 

The digital signature technology for imparting electric documents or the like for electronic comments or transactions 
with a function equivalent to that of a conventional seal (hanto in Japanese) promises high efficiency utilization of com- 
puter-network system. However, with the conventional electronic mail encryption technology (also known as Privacy 
10 Enhanced Mail or PEM in abbreviation), it is impossible to process more than one digital signature for a single 
enhanced mail. In this conjunction, in the electronic commerce fields, it is expected in the not-so-distant future that the 
electronic document such as message and the fite affixed with a number of cfigital signatures including not only the dig- 
ital signature of a purchaser but also those of a distributor, salesman and/or monetary business-man will be handled. 
Under the circumstances, there arises a demand for the multiple digital signature technology which allows the electronic 
75 documents affixed with a plurality of digital signatures to be processed. In this exjunction, rt is noted that a person 
received an electronic document affixed with a plurality of digital signatures will be forced to verify the authenticity of 
plural or N digital signatures written by other persons before writing or generating his or her own single digital signature. 
Thus, in order to enhance the availability of the digital signature facility in the computer network system, it will be 
required to increase the speed for verification of the plural (N) digital signatures. Besides, it is conceivable that in the 
20 electronic commerces, there is a possibility that comments may be added by a plurality of persons in the course of 
processing the electronic document 

For having better understanding of the invention, description will first be made in some detail of the technical back- 
ground of the invention. As a typical one of the digital signature techniques known heretofore, there may be mentioned 
the public-key cryptography elliptic curve system disclosed in J. KoeOer, A. J. Menezes, M. Qu and S. A. Vanstone: 
25 "Standard for RSA, Diffie-Hellman and Related Public-Key Cryptography Elliptic Curve Systems (Draft 8)" in "IEEE 
P1363 Standard" published by the IEEE. May 3, 1996 and May 14, 1996. respectively. 

Figure 9 is a schematic diagram showing generally a configuration of a computer network system in which the tech- 
niques disclosed in the above-mentioned literatures are adopted. 

Referring to Fig. 9, there are connected to a network 1001 a system manager's computer 1002, a user A's compu- 
30 ter 1003 and a user B's computer 1004 for mutual communication. 

Operations of the individual units shown in Fig. 9 will be described below. 

System Setup 

35 The system manager's computer 1002 is in charge of generating an elliptic curve (E) 1006. Subsequently, a base 
point (also referred to as the system key) (P) 1 007 of the order (n) 1008 is generated and registered in a public file 1005. 

Key Generation 

40 A key generating function module 1011 incorporated in the user A's computer 1003 is designed to execute the 
processing steps which will be mentioned below. 

Step 1 : In an interval [2, n * 2J, an integer d A is selected at random as a private key. 

Step 2: A key Q A is computed in accordance with Q A = d A P. 
45 Step 3: The key (Q A ) 1015 is opened to the public as the public key. More specifically, the public key (Q A ) 1015 is 
transmitted together with the identifier name of the user A to the system manager's computer 1002 via the 
network 1001, whereon the identifier name of the user A is written in the public file 1005 at a column 1009 
for the user A's name with thevalueofthe public key (Q A ) 1 0 1 5 being written in a column 1 0 1 0 for the public 
key Q A . 

50 Step 4: in the user A's computer 1 003, the value of the private key (d*) 1 01 4 is held as the private key of the user A. 
Digital Signature Generation Process 

A digital signature generating function module 1033 incorporated in the user A's computer 1003 is designed to exe- 
55 cute the processing steps mentioned below. 

Step 1 : Message (M) 1016 is received. 

Step 2: Hash value e = H(M) is computed by using a hash function (H) 1028. 
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Step 3: Random number Is is selected from the interval [2, n • 2J by using a random number generation function 
1029. 

Step 4: Point kP = (x, y) is computed by a so-cafled "scalar multiplication on elliptic curve (E)" 1 030. 
Step 5: A first tally £ given by r * x ♦ e (mod n) is determined in accordance with the modular computation "r = x + 
e (mod n)" 1031. 

Step 6: A private key (dp) 1017 is inputted to modular computation process "s ■ k - d A r (mod n)" 1032 for thereby 
determining a second tally fi (« k - d A r (mod n)). 

Step 7: A message M 1016 and the digital signature (r, s) 1019 are sent to the user B*s computer 1004 via the net- 
work 1001. 

As the parameters required for the computations performed by the digital signage generating function module 
1033. the elliptic curve (E) 1006, the base point which may also be referred to system key (P) 1007 and the order (n) 
1008 registered in the public file 1005 held by the system manager's computer 1002 are referenced. 

Digital Signatu re Verification Process 

A digital signature verifying function module 1023 incorporated in the user B's computer 1004 is designed to exe- 
cute the processing steps mentioned below. 

Step 1 : The user A's pubfic key (Qa) 1010 is fetched from the public file 1005 held by the system manager's com- 
puter 1002 to be set as a public key (Qa) 1020. Additionally, the base point (system key) (P) 1007 is fetched 
from the pubfic file 1005 held by the system manager's computer 1002 to be set as the base point (P) 
1007B. Furthermore, the digital signature (r, s) 1019 sent from the user A's computer 1003 is received to be 
set as a digital signature (r, s) 1021 . Besides, the message (M) 1016 sent from the user A's computer 1003 
is received to be set as a message (M) 1022. 

Step 2: The base point or system key (P) 1007B, the public key (Qa) 1020. the digital signature (r. s) 1 021 are input- 
ted to the process "scalar multiplication on elliptic curve (E)" and "addition" 1024 to thereby carry out the 
calculation "(x, y) =sP + rQ A ". 

Step 3 : The message M 1 022 is inputted into the hash function H 1 025 to thereby compute the hash value e = H(M) . 
Step 4: Through the computation process Y ■ x + e (mod n)" 1026, a first tally T = x + e (mod n)" is determined. 
Step 5: When the decision "r = r' ?" 1027 results in r = r* or YES, data "authenticated" is outputted. and if otherwise, 
"not authenticated" is outputted. 

As the parameters required for the computations performed by the digital signature verifying function module 1 023, 
the elliptic curve (E) 1006, the base point or system key (P) 1007 and the order (n) 1008 as registered in the public file 
1005 held by the system manager's computer 1002 are referenced. 

Through the processes described above, the digital signature (r, s) functions as an electronic seal (i.e., seal or 
"hanko" impressed electronically by the user A for the message M. To say in another way. the user B can hold the set 
of the message M and the digital signature (r, s) as the evidence indicating that the message M is issued by the user A. 
Further, although the user B can recognize the authenticity of the set of the message M and the digital signature (r, s), 
the user B can not originally generate the set of the message M and the digital signature (r, s). For this reason, the user 
A can not negate later on the fact that the digital signature (r, s) has been generated by the user A. 

However, the conventional system described above suffers the problems which will be elucidated below. 

(1) Insufficient Proof for Security 

In general, generation of a digital signature by a person having no private key provides a problem. If otherwise, 
the authenticity of the digital signature can not be ensured, degrading the creditability of the electronic commerce 
and rendering it impractical. 

In the conventional system described above, it is required to provide that such tally combination (r, s) can not 
be generated which allows the output "authenticated* to be generated in the course of the digital signature verifica- 
tion processing without knowing the private key d A However, the conventional system provides no proof to this end. 
Parenthetically it should be mentioned that the problem mentioned above has been pointed out in conjunction with 
ElGamal signature technology on which the conventional system described above is based. 

(2) Long bit length of the digital signature 

Now, assuming that relevant parameters have respective bit lengths as follows: 

(a) The bit length representing the order n of the base point P is / n bits (e.g. 160 bits). 

(b) The bit length representing the output of the hash function H is / H bits (e.g. 160 bits). 
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(C) The bit length of the private key cIa 15 bits (ag. 160 bits). 

The output value of the hash function H given by of 160 bits is considered as being necessary in view of the 
fact that the hash function H has a collision-free property. In this conjunction, it is contemplated with the phrase "col- 
5 lision-free property" to mean that cfiff icutty is encountered in finding two Afferent input values which result in a same 
output value in view of the com pu tat i onal overhead By way of example, in the case where the output value of a 
hash function His 160 bits, it will be possible to find two different input values which results in a same output value 
by carrying out an attack method known as "Paradox of Birthday* a number of times on the order of 2 80 on an aver- 
age, which is however difficult in view of the computational overhead. 
w Further, the bit length of 1 60 bits for the order n of the base point (system key) is considered as being neces- 

sary because of difficulty of solving the cfiscrete logarithm problem relevant to the addition on the elliptic curve. 

In this case, when the length of the tally i of the digital signature (r, s) is of ^ bits with the length of the tally s 
being of t n bits, then the total bit number amounts to (/ n + AO bits (ag. 320 bits). 

(3) The length of the cfigital signature is determined in dependence on the length of the parameter n of the elliptic 
75 curve. Consequently, when the length of the parameter Q is increased for ensuring the security of the digital signa- 
ture more positively in the futura the length of the digital signature increases correspondingly. Parenthetically, in 
conjunction with RSA and EES, it is noted that the length of the parameter q is unavoidably increased because of 
enhancement of the decryption method and the computer performance promoted as a function of the time lapse. 
Same will apply equally to the elliptical encryption in the future. To say in another way, it is expected that the length 
20 of the parameter n will necessarily increase as the decryption technology and the computer performance are 
enhanced as a function of time lapse. Such being the circumstances, it is desirable in conjunction with the elliptic 
encryption to realize the digital signature which does not depend on the length of the order o of the base point or 
system key P. 

25 SUMMARY OF THE INVENTION 

In the light of the state of the art described above, it is an object of the present invention to provide a digital signa- 
ture generating and/or verifying method and system using a public key encryption scheme with high security as well as 
a recording medium for storing a program for carrying out the method. 

Another object of the present invention is to provide a digital signature generating and/or verifying method and sys- 
30 tern using a public key encryption scheme, which allows the bit length of the digital signature to be shortened, and a 
recording medium for storing a program realizing the same. 

Yet another object of the present invention is to provide a digital signature generating/verifying method and system 
which are based on the use of a public key encryption method in which the length of the digital signature is made to be 
independent of the length of the order of the base point, and a recording medium employed for storing a program real- 
ms izing the same. 

In view of the above and other objects which will become apparent as the description proceeds, there is provided 
according to a first generic aspect of the present invention a digital signature generating/verifying method of generating 
and/or verifying a digital signature authenticating electronically a signature affixed to a given document or message (M) 
by resorting to a public key encryption scheme. The digital signature generating/verifying method includes processing 
40 steps of determining for the given document or message (M) a hash value (e) satisfying a condition that e e H(M) by 
using a hash function (H). and determining for a numerical value (x) derived from translation of a random number a hash 
value (r) satisfying a condition that r = h(x) by using a hash function (h) whose output value is shorter than that of the 
first-mentioned hash function (H). 

Further, according to another general aspect of the present invention, there is provided a digital signature generat- 
es ing and/or verifying method of generating or verifying a multiple digital signature authenticating electronically signatures 
affixed to document such as messages and/or comments (Mj) as created and/or added sequentially by N users i (where 
i = 1, .... N) by using a public key encryption scheme. The digital signature generating/verifying method includes the 
steps of (a) determining for a given one of the messages (Mj) a hash value (ej satisfying a condition that e; = HfMJ by 
using a hash function (H), (b) determining for a numerical value (x f ) obtained from translation of a random number a 
50 hash value (rj satisfying a condition that r f = h(Xj) by using a hash function (h) whose output value is shorter than that 
of the first-mentioned hash function (H) and (c) executing the above-mentioned steps (a) and (b) for each of the users 
[ (where i = 1 N). 

According to another general aspect of the present invention, there is provided a digital signature generating/veri- 
fying system for generating a digital signature authenticating electronically a signature affixed to a given message (M) 
ff by resorting to a public key encryption scheme. The digital signature generating/verifying system is composed of a 
processing unit for determining for the message (M) a hash value (e) satisfying a condition that e a H(M) by using a 
hash function (H), a processing unit or module for determining for a numerical value (x) obtained from translation of a 
random number a hash value (r) satisfying a condition that r = h(x) by using a hash function (h) whose output value is 
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shorter than that of the hash function (H). 

Furthermore, according to another general aspect of the present invention, there is provided a digital signature 
generating and/or verifying system for generating and/or verifying a multiple digital signature authenticating electroni- 
cally signatures affixed to document such as messages and/or comments (MJ as created and/or added sequentially by 

5 N users i (where i s 1 N) by resorting to the use of a public key encryption scheme, wherein the digital signature 

generating/verifying system includes a module for determining for a given one of the messages (Mj) a hash value (ej 
satisfying a condition that e, - H(Mj) by using a hash function (H), a module for determining tor a numerical value (xj 
derived from translation of a random number a hash value (rj satisfying a condition that r f = hfxj by Using a hash func- 
tion (h) whose output value is shorter than that of the first-mentioned hash function (H), and a module for validating the 
10 above-mentioned modules for each of the users i (where i * 1 , N). 

The above and other objects, features and attendant advantages of the present invention will more easily be under- 
stood by reading the following description of the preferred embodiments thereof taken, only by way of example, in con- 
junction with the accompanying drawings. 

75 BRIEF DESCRIPTION OF THE DRAWINGS 

In the course of the description which follows, reference is made to the drawings, in which: 

Fig. 1 is a schematic block diagram showing generally a system configuration according to an exemplary embodi- 
20 ment of the present invention; 

Fig. 2A is a block diagram showing a system configuration of a single digital signature generating/verifying unit exe- 
cuted by a user A's personal computer shown in Fig. 1 ; 

Fig. 2B is a flow chart for illustrating a processing involved in the single digital signature generation algorithm exe- 
cuted by the user A's personal computer in conjunction with the system shown in Fig. 1 ; 
25 Fig. 3 is a flow chart for illustrating a processing for a single digital signature verification processing or algorithm 
executed by a user B's personal computer in the system shown in Fig. 1 ; 

Fig. 4 is a flow chart for illustrating a processing for a duple digital signature generation processing or algorithm 
executed by the user B's personal computer in the system shown in Fig. 1 ; 

Fig. 5 is a flow chart for illustrating a processing for a duple digital signature verification processing or algorithm 
30 executed by a user C's personal computer in the system shown in Ftg. 1 ; 

Fig. 6 is a block diagram showing a computer network configuration according to another embodiment of the inven- 
tion; 

Fig. 7 is a flow chart for illustrating a processing for a triple digital signature generation algorithm executed by the 
user C's personal computer shown in Ftg. 6; 
35 Fig. 8 is a flow chart for illustrating a processing for a triple digital signature verification algorithm executed by a user 
D's personal computer in the system shown in Fig. 6; and 

Fig. 9 is a schematic diagram showing generally a configuration of a conventional computer network system 
designed for transferring electronic documents affixed with cfigrtaJ signatures known heretofore. 

40 DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Now, the present invention will be described in detail in conjunction with what is presently considered as preferred 
or typical embodiments thereof by reference to the drawings. In the following description, like reference characters des- 
ignate like or corresponding parts throughout the several views. Also in the following description, it is to be understood 
45 that such terms as "document", "comment", "message" and the like are words of convenience and are not to be con- 
strued as limiting terms. 

Figure 1 is a schematic block diagram showing generally a system configuration according to an exemplary embod- 
iment of the invention. Referring to the figure, there are connected to a network 1 01 , a user A's personal computer 1 02, 
a user B's personal computer 1 03 and a user C's personal computer 1 04. In the user A's personal computer 1 02, a user 

so A's signature (r 1t s n ) 1 11 is generated for a user A's created document (M<j) 110 by using a base point which may also 
be referred to as the system key (P) 11 7 and a user A's private key (d^ 118 in accordance with a single digital signature 
generation algorithm ( AL 1 ) 1 05 to be subsequently sent to the user B's personal computer 1 03 via the network 1 0 1 . In 
this conjunction, "r-," and "s^ofthe user A's signature^, 111 are defined as a first tally and a second tally, respec- 
tively. In the user B's personal computer 103, authenticity of the user A's issued document 109 composed of a set of 

55 the user A's created document (M<j) 110 and the user A's sicpiature (r 1( s0 1 1 1 is verified by using a base point or sys- 
tem key (P) 1 19 and a user A's public key (Q^ 120 in accordance with a single digital signature verification algorithm 
(AL^ 106 and at the same time, a user A's and B's multiple signature (r,, r 2 , S2) 113 is generated for the user A s cre- 
ated document (M0 (i.e., document M, created by user A) 1 15, the user A's signature (r 1f s,) 1 1 1 and a user B's addi- 
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tion such as comment (Mz) 1 1 4 by using the base point (P) 1 1 9 and the user Bs private key (cy 1 2 1 in accordance with 
a duple digital signature generation algorithm (ALj) 107 to be subsequently sent to the user Cs personal computer 1 04 
via the network 101. In the user Cs personal conrputer 104, authenticity of the use- B's issued document 112 com- 
posed of the set of the user A's created document (M t ) 115 and the user B's adoption or comment (MJ 1 14 as well as 
the user A s and B's multiple (duple) signature (r t , r 2 , 62) 1 13 is verified by using the base point (P) 122. a user A s public 
key (Q1) 123 and a user B's puttie key (Cfe) 124 in accordance with a duple digital signature verification algorithm (AL 2 ") 
108. 

Figure 2A is a block diagram showing a system configuration of the single cfigitaJ signature generation/verification 
system shown in Fig. 1 and Fig. 2B is a f low chart for illustrating the processing for the single cfigitaJ signature genera- 
tion algorithm (AL^ 105 mentioned previously in conjunction with the system shown in Rg. 1. Description will now be 
made by reference to Figs. 2A and 2B. 

The system configuration shown in Fig. 2A bears correspondence to the one shown in Rg. 9. It can be seen that 
the former differs from the latter in respect to the tfgorithm in the digital signature generating blocte 1031 and 1032. the 
algorithm in the digital signature verifying block 1026 and the output algorithm in the block 1024. 



Single Digital Signature Generation Algorithm (AL£ 105 

Step 201 : Processing for executing this algorithm (ALi) 105 is started. 

Step 202: The user A s created document (M<|) 1 10, the base point (P) 1 1 7 and the user A's private key (d1 ) 1 1 8 are 
inputted. 

Step 203: A random number k 1 of t H bits is generated. 
Step 204: Computation is performed for determining k\ P - (x 1 , yj ). 
Step 205: Hash value n (a Ufa)) of 1^2 bits is computed. 
Step 206: Hash value e 1 (« HfMj)) of / H bits is computed. 

Step 207: Computation is performed for determining a tally $<\ in accordance with s 1 o k t + d 1 (e 1 + rO (mod n). 
Step 208: Value of the single digital signature (r 1( s 1 ) 111 is outputted. 
Step 209: The processing is terminated. 

The single digital signature generated through the processing described above corresponds to an electronic image 
of a seal ("hanko" in Japanese) impressed on the message M 1 by the user A. In other words, the single digital signature 
(r 1 . si) can be generated only when the private key di equivalent to the seal kept only by the user A is used for the mes- 
sage M 1 as furnished. 

Figure 3 is a flow chart for illustrating a processing for the single digital signature verification algorithm (AL/) 106 
in conjunction with the system shown in Rg. 1 . Description will now be made by reference to Fig. 3. 



Sinole Digital Signature Verification Algorithm ( AL^ 106 



Step 301 
Step 302 
Step 303 
Step 304 
Step 305 

Step 306: 
Step 307: 

Step 308 
Step 309 
Step 310 
Step 311 



Processing is started. 

The user A's created document (Mj) 110 and the single digital signature (r 1( s,) 111 is inputted. 
The system key (P) 1 1 9 and the public key (Q t ) 120 are inputted. 
Hash value e 1 = H(Mj) of t H bits is computed. 

Computation is performed for determining a first point on an elliptic curve, i.e., a first elliptic point (*<\,y<\) 
nSiP-to+r^Ov 

A numeric value r^ = h(x 1 ) is computed. 

When the condition that r 1 & r 1 ' is met, the processing proceeds to a step 308 while H otherwise to a step 
310. 

A signal or data "authenticated" is outputted. 

The first elliptic point (x 1 . y 1 ) is outputted, whereon the processing proceeds to a step 311. 
"Not authenticated" is outputted 
The processing is then terminated. 



Through the processing described above, it can be confirmed whether or not the single or simple digital signature 
(r 1( sO is a correct signature, i.e., whether or not the single digital signature (r 1( s^ corresponds to the correct or true 
seal image. More specifically, upon reception of the message M A and the single or 6imple digital signature (r 1t s,), the 
user B (or user B's computer) checks to oonf inn the authenticity of the digital signature by referencing the public key 
which corresponds to the registered seal ("hanko"). 

Figure 4 is a flow chart for illustrating a processing for the duple digital signature generation algorithm (AL2) 1 07 in 
conjunction with the system shown in Fig. 1. Description will now be made by reference to Fig. 4. 
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Duple Digital Signature Gene ration Algorithm f ALg) 107 
Step 40 1 : Processing is started. 

Step 402: User B's addition or comment (M2) 1 14, the base point (or system key) (?) 1 19 and the user B's private 
5 key (ay 121 are inputted. 

Step 403: The first point fa , yi) on the elliptic curve outputted in the step 309 is fetched. 

Step 404: A random number k^ of bits is generated. 

Step 405: A point (x, y) o typ is computed. 

Step 406: A second point (xg, v 2> - ( X 1 . yi) + (* V) fe computed. 
10 Step 407: Hash value r 2 s h(x£ of t^fl bits is computed. 

Step 408: Hash value Bz * H(M2) of Ih bits is computed. 

Step 409: Computation for determining a tally given by S2 » s t + k2 + d2(e2 + ^ + r^ (mod n) is performed. 
Step 410: Value of the duple cfigital signature (r 1f r 2 , S2) 1 13 is outputted. 
Step 41 1 : The processing comes to an end. 

15 

The duple digital signature fa. r 2 . 62) generated through the processing described above corresponds to the seal 
image impressed on a whole document prepared by adding the user B's comment or addition (M2) 1 1 4 to the message 
(M 1 ) 1 1 0 created by the user A and affixed with the single digital signature fa , Si ) 1 1 1 . More specifically, when the mes- 
sage M 1 created by other person (user A) and affixed with the other person's single digital signature or the user A s sin- 
20 gle digital signature fa, s t ) in the case of the fllustrated example is received by the user B and when the user B wants 
to add the comment M2, the duple digital signature fa. r 2 . s^ is generated, which incficates that the seal is impressed 
for the whole document by using the private key cfe corresponding to the seal which only the user B possesses. 

Figure 5 is a flow chart for illustrating a processing tor a duple digital signature verification algorithm (AL 2 ) 108 in 
conjunction with the system shown in Fig. 1 . Description will now be made by reference to Fig. 5. 
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Step 50 1 : Processing is started. 

Step 502: The user As created document (Mt) 1 15, the user B's added comment or addition (M^ 1 14, and the 

30 duple digital signature fa , r 2 . 62) 1 13 are inputted. 

Step 503: The base point or system key (P) 122. the user A's public key (Q0 123 and the user B's public key (Cfe) 
124 are inputted. 

Step 504: A hash value » H(M0 of t H bits is computed. 

Step 505: A hash value eg * HfM^ of / H bits is computed. 

35 step 506: A second elliptic point given by (x 2 , 0 % p " ( e i + r i)Qi * (®2 + r i +*2)Q2 te computed. 

Step 507: A numerical value r 2 ' *> h(X2> is computed. 

Step 508: When r 2 s r 2 \ the processing proceeds to a step 509. and if otherwise, to a step 51 1 . 

Step 509: A signal "authenticated" is outputted. 

Step 51 0: The second elliptic point (x 2 , y 2 ) is outputted, whereon the processing proceeds to a step 512. 

40 Step 511: A signal or data "not authenticated" is outputted. 

Step 51 2: . The processing comes to an end. 

Through the processing described above, it is confirmed whether or not the duple digital signature fa, r 2 , s 2 ) is a 
correct signature, i.e. , whether or not the duple digital signature fa , r 2 , s 2 ) corresponds to the correct or true seal image. 
45 More specifically, upon reception of the message M 1( message Mj and the duple digital signature fa, r 2 , 82), the user 
C checks to confirm that the digital signature is made authentically by the very users A and B by referencing the public 
Keys Q 1 and Q 2 which correspond to the registered seals. In that case, the user C can confirm the authenticity of the 
digital signature without using either the private key d 1 corresponding to the user A's seal or the private key d 2 corre- 
sponding to the user B's seal. 

so in the foregoing, generation of the duple digital signature by using two private keys d 1 and d 2 has been described 
as an exemplary embodiment of the invention. In this conjunction, it should be mentioned that the principle underlying 
the digital signature generating/verifying method described above can be extended in general for the generation of an 

N-tupie digital signature generated by using N private keys d 1 , 62 dfg. 

Figure 6 is a block diagram showing a computer network configuration according to another embodiment of the 

55 invention on the assumption that the system is expanded so as to enable triple digital signatures, i.e., N = 3. Referring 
to the figure, there are newly connected to the network 101 , a user D's personal computer 606 in addition to the user 
A's personal computer 102, the user B's personal computer 103 and the user Cs persona) computer 104. Set up newly 
in the user Cs personal computer 104 in addition to the dual digital signature verification algorithm (AL 2 1 108, the sys- 
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tern key or base pant (P) 122, the user A's public key (Q,) 123 and the user B*s public key (Q^ 124 are a triple digital 
signature generation algorithm (AL3) 604 and a user Cs private key (da) 605. The user Cs personal computer 1 04 cre- 
ates a user Cs issued document 601 and sends it to the user personal conputer 606. The user C s issued docu- 
ment 601 contains newly a user C6 addition or comment (M3) 603 and users A's, B's and Cs signatures (r 1( r 2 . r 3 . s 3 ) 

* 602 in addition to the user As created document (M,) 613, the user B's addition such as a comment (N/y 614 and a 
user A s and B's signatures (r 1( r 2 , 62) 612. Set tp in the user D's personal computer 606 are a triple digital signature 
verification algorithm (AL^ 607, a base point (P) 608. the user A's public key (Q,) 609, the user B's pubfic key (Q 2 ) 610 
and the user Cs public key (Q 3 ) 611. 

Figure 7 is a flow chart for illustrating a processing for the triple digital signature generation algorithm (AL 3 ) 604 

70 executed by the user Cs personal computer 1 04 shown in Fig. 6. 



Tripift Digital Signature Generation Algorithm ( AL ? ) 604 

Step 701 : Processing is started. 

75 Step 702: The user Cs addition or comment (M3) 603, the private key ((J3) 605. the base point (P) 122 and the duple 
digital signature (r 1( r 2 . $2) 612 are inputted. 

Step 703: Second elliptic point (x 2 , y£ outputted in the step 510 is fetched. 

Step 704: A random number 1^ of / H bits is generated. 

Step 705: A point k 2 P = (x, y) is computed. 

20 Step 706: Coordinates (x 3 , « (x 2 , y 2 ) + (x, y) are computed. 

Step 707: A hash value r 3 = h(x 3 ) of 1^2 bits is computed. 

Step 708: A hash value 63 - H(M£ of / H brts is computed. 

Step 709: A tally S3 = sj + H3 + d 3 (e3 + r t + r 2 + r 3 ) (mod n) is computed. 

Step 710: Value of the triple digital signature (r 1( r 2 . r 3 , S3) 602 is outputted. 

25 Step 41 1 : The processing is terminated. 



The triple digital signature (r 1 , r 2 , r 3 , S3) generated through the processing described above corresponds to the seal 
image impressed on a whole document obtained by adding the user Cs comment or addition M 3 to the messages M 1 
and M2 affixed with the users A and B's multiple digital signatures (r lP r 2 , s^. More specifically, when the messages 
30 and M 2 affixed with other users' multiple digital signature (i.e., the users A's and Bs' multiple digital signatures in the 
case of the illustrated example) (r 1( r 2 , s^ are received by a user (i.e.. user C) and when the user C wants to add the 
comment M 3 , the triple digital signature (r 1 , r 2 , r 3 , 63) can be generated for the whole document created by the users A 
and B and added with the comment M 3 by the user C only by using a private key d 3 corresponding to the seal which 
only the user C possesses. 

35 Figure 8 is a flow chart for illustrating a processing for the triple digital signature verification algorithm (AL 3 ) 607 
executed by the user D's personal corrputer 606 in conjunction with the system shown in Fig. 6. Description will now 
be made by reference to Fig. 8. 



Triple Digital Signers Verification AlflPrithm {farf $Q7 



40 



45 



Step 801 : 
Step 802: 

Step 803: 

Step 804 
Step 805 
Step 806 
Step 807 

Step 808 
Step 809 
Step 810 
Step 81 1 
Step 812 
Step 813 



Processing is started. 

The user A s created document (M<j) 613, the user B's addition or comment (M^ 614, the user Cs addition 

or comment (M3) 603 and the triple digital signature (r 1t r 2 , r 3 , S3) 602 is inputted. 

The base point (?) 608, the user A's public key (Q<,) 609, the user B's public key (Q^ 610 and the user 

Cs public key (Qa) 61 1 are inputted. 

A hash value e 1 = H(M<,) of / H bits is computed. 

A hash value 63 <= H(M 2 ) of / H hits is computed. 

A hash value e3 = H(M 3 ) of ty\ bits is computed. 

A third point on the elliptic curve, i.e., a third elliptic point (x 3 , y 3 ) o s 3 P - (ej + r^C^ - (e 2 + r 1 +r 2 )Q 2 -(63 
+ r 1 +r 2 + r 3 )Q 3 is computed. 
Tally r 3 s h(x 3 ) is conputed. 

When r 3 ' = r 3 . the processing proceeds to a step 810, and if otherwise, proceeds to a step 612. 
Signal "authenticated'' is outputted. 

The third elliptic point (x 3 , y 3 ) is outputted, whereon the processing proceeds to a step 813. 
Signal "not authenticated" is outputted. 
The processing comes to an end. 



Through the processing described above, it is confirmed whether or not the triple digital signature (r 1( r 2 , r 3 , s 3 ) is 
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10 



20 



25 



35 



50 



a correct signature, i.e., whether or not the triple cfigita) signature (r 1( r 2 . r 3 , 63) corresponds to the correct or true seal 
image. More specifically, upon reception of the message M 1t the message M2, the message M3 and the triple digital 
signature (r^ r 2 . r 3 , S3), the user D can check to confirm whether or not the digital signatures have been made by the 
very users A, B and C by referencing the prtlic keys Q,, Q2 and Q3 which correspond to the registered seals ("hanko") 
of the users A. B and C, respectively. 

The above-mentioned digital signature generation/verification method can be expanded to the case where N is 
equal to or greater than "4" (four) . In other words, in general, a digital signature generating/verifying method for verifying 
electronically a multiple digital signature affixed to messages and/or comments M t created and/or added by N users (i 
= 1, .... N) can be carried out in general as follows: 

Pmnpdure for Vprifvino Muf tiplft Digital Sirmatirrft hv Users i (2 <. i <, H\ 



Step 901 : Processing is started. 

Step 902: The (i • 1 ) messages or comments M 1 M M and the p - 1)-tupie dgital signature (r, r M , s^) issued 

75 by an immediately preceding user (1 - 1) are received. 

Step 903: Computation of a hash value e k « H(MJ is repeated for the user (i - 1 ) starting from k= 1. 

Step 904: Public keys 0* previously generated for satisfying o cy> and registered are inputted repetitionally for 

the user (i - 1) starting from k e 1. 

Step 905: A point (Xm . y M j on the elliptic curve given by the following expression (5) is computed. 



M k 
*-1 M-1 



Step 906: A hash value r M ' = h^.,) is computed. 

Step 907: When r k1 = r^', then data or signal indicating "authenticated" is issued. 

Step 908: Point (Xj. 1( y M ) on the eOiptic curve is outputted, whereon the processing proceeds to a step 910. 

Step 909: If r M * r M \ data indicating "not-authenticated" is issued. 

30 Step 91 0: The processing comes to an end. 

In other words, the digital signature generation/verification method for generating electronically the multiple digital 

signature affixed to messages and/or comments (i.e., document) Mj created or added by N users (i = 1 N) can be 

performed as follows: 



Generation Procedure pf MMple Pioital Signature by User? i (2 $ i s N) 



Step 1001: Processing is started. 

Step 1 002: The point (x i . 1 , Y M ) obtained at the step 908 is inputted. 

40 Step 1 003 : A hash value 3 = H(Mi) is computed. 

Step 1004: A random number kj is generated. 

Step 1005: Point kjP = (x, y) is computed. 

Step 1006: Point (Xj, yj = (x M , Y^) + (x, y) are computed. 

Step 1007: A hash value r 1 = h(Xj) is computed. 

45 Step 1 008: By using private keys d p the tally Sj given by the following expression is determined. 

i 

5, = s M +* / +d,(e / + £ f*)(modn) 

Step 1009: A set of the numerical values , r f Sj) is outputted as the digital signature. 

The embodiments of the invention described by reference to Figs. 3 to 5 are directed to the multiple digital signature 
55 realized by making use of the addition defined on the elliptic curve. However, in general, such multiple digital signature 
can equally be realized by resorting to binary operation defined on the abetian group. 

By way of example, in a set 2^ of integers from "1" to "n - 1" (where n represents a large prime number on the order 
of 1 ,000 bits), multiplication is defined in the world of modulo a Then, z n represents an abelian group. The base point 
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P (1 < P < n) is selected appropriately with the private key & and the pttfic key Q being so selected that the following 
relation can apply valid: 

Q«P d (modn) (1) 

In conjunction with the above expression (1), it is noted thai the problem of determining d tor given values of Q. P 
and n represents a discrete logarithm problem which is difficult to solve in view of the computational overhead when the 
value of n is large. 

On the presumption mentioned above, the single digital signature generation algorithm (AL^ 105 described previ- 
ously by reference to Fig. 2, for example, is modified as follows: 

Single Digital Signature Generation Algorithm fALj) 

Step 201 : The processing is started. 

Step 202: The user As created document M t , the base point P and the private key d1 are inputted. 

Step 203: A random number or integer of / H bits is generated. 

Step 204: Computation is performed for determining « 

Step 205: A hash value ^ * hfxj) of Ly/1 bits is computed. 

Step 206: A hash value e, « HfM^ of bits is computed. 

Step 207: Computation is performed for determining the tally » k«, + + ij) (mod n). 

Step 208: Value of the single digital signature (r v s-,) is oulputted. 

Step 209: The processing comes to an end. 

The single digital signature (r v s t ) obtained, being modified as mentioned above, brings about advantageous 
effects similar to those obtained in the digital signature generating/verifying method described hereinbefore by refer- 
ence to Fig. 2. Similar modification of the multiple digital signatures can provide similar advantages as those mentioned 
hereinbefore. 

With the arrangements of the digital signature generating/verifying systems described above, there can be assured 
such advantageous effects as mentioned below. 

(1) It is impossible to forge a digital signature of other person without knowing the other person's private key. Secu- 
rity concerning the forgery prevention of the single digital signature (r 1 , &<,) will be demonstrated by the proposition 
1 described hereinafter. 

(2) The length of the digital signature can be shortened. By way of example, assuming that the order n is 160 bits 
and that the length of the output value of the total hash function H is 160 bits, then the length of the single digital 
signature in the conventional system is 240 bits. By contrast, in the case of the systems according to the invention, 
the length of the single digital signature is 240 bits. Furthermore, the length of the duple digital signature in the con- 
ventional system is 640 bits, whereas in the systems according to the invention, it is only 320 bits. In general, in the 
case where the N-tuple digital signature is affixed, the total length of the digital signatures is of 320 * N bits, 
whereas in the system according to the present invention, rt is 160 + 80 x N bits. Thus, when the value of N is large, 
the length of the digital signature according to the invention can be reduced by ca. 1/4 when compared with the sig- 
nature length in the conventional system. In other words, the length of the digital signature can be significantly 
reduced according to the teachings of the invention. 

(3) According to the invention, it is possible to make the length of the digital signature be independent of the length 
of the order n. Assuming now that the length of the output of the total hash function H is sufficiently greater than 
that of the random integer fc the length of the tally & of the signature can be suppressed smaller than the length of 
the outputs of the total hash function H plus the length of the private key d- Thus, independent of the length of the 
order n, the length of the N-tuple digital signatures can be made to be not greater than "the length of the output of 
the whole hash function H + private key S+Nx length of the output of the half-hash function h". 

In each of the digital signature generation/verification system according to the embodiment of the invention 
described above, the processing steps of executing the digital signature generating method can be stored in the form 
of a programs in a recording medium such as a CD-ROM, a floppy-disk, a semiconductor memory or the like, wherein 
the program can be loaded and executed in a computer for generating the digital signature for thereby generating the 
digital signature. Similarly, the processing steps included in the input digital signature verifying method can be loaded 
in the computer for the digital signature verification in the form of a program to be executed for verifying the digital sig- 
nature. Needless to say, the digital signature generating/verifying program mentioned above may be down-loaded to cli- 
ent personal computers from the server computer. 
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Lemma (Subsidiary PrDDOSitiQn) 1 

It is presumed that H represents a hash function having a one-way property, the algorithm AL is not difficult to exe- 
cute in view of the computational overhead and that data generated without resorting to the use of the hash function is 
irputted to thereby generate on a memory in the course of computation the numerical values of x and y which satisfy 
the equation "y * H(x)". In that presumed case, the numerical value y can never mate appearance on the memory so 
long as the numerical value 2 has not made appearance ever on the memory in the past 

D emonstration 

Demonstration will be made by resorting to "reductio ad absurdum (reduction to absurdity)- or irrationality It is 
assumed that the value y satisfying the function y = H(x) has made appearance on the memory in precedence to the 
value 2. However, since the hash function H is of the one-way property, computation for the reverse transformation of 
the hash function H, i.e., x • H* 1 (y) is impossWa Accoitfingly, in order to generate the value x on the memory, it is nec- 
essary to supply externally such input data from which the value 2 capable of satisfying the hash function y = H(x), 
which however contradicts to the inputting of the data generated without using the hash function H. 

The Demonstration of the lemma 1 is now concluded. 

Proposition 1 

It is presumed that the discrete logarithm problem concerning the addition on the elliptic curve can not be solved. 
Additionally it is assumed that the hash function H{ • ) of / H has colfision-free property as well as the one-way prop- 
erty. Furthermore, it is presumed that the hash function h( • ) of l^fZ bits has also the one-way property. In that case, 
when l n zi H ' there exists no algorithm AL3 which can output in response to the inputting of the base point (system key) 
P and the public key Q 1 the message M 1 and the single digitaJ signature (r 1t s^ for which the algorithm Al^ outputs 
"authenticate" so long as the private key 6, is unknown. 

Demonstration 

Now. it is supposed that such algorithm AL 3 exists which can output in response to the inputted system key or base 
point P and the public key Q 1 . the message M 1 and the single digital signature (r 1 . sO for which the verification process- 
ing ALj' outputs "authenticate" without knowing the private key d,. More specifically, it is supposed that such algorithm 
AL 3 exists for which the inputs and the outputs are as follows: 

Input to the algorithm AL^: 

system key (base point) P, and public key 

Output from the algorithm AL 3 : 

message M 1t single digital signature (r 1t s-,) 

where the message M 1 and the single digital signature (r 1t s t ) satisfy the following conditions: 

(x^y^os^-^+r^ (2) 
fi-hjx,) (3) 
•i-HlM,) (4) 

It should be noted that £ n £ t H holds true. 

On the conditions mentioned above, the number of the outputs from the algorithm AL 3 is three, i.e., 1^ , and r 1 . 
Accordingly, in the course of the processing according to the algorithm AL 3 , the correct output values make appearance 
in either one of the orders or sequences mentioned below: 

Case 1 : Correct output values make appearance in the sequence of Si , r 1 and M 1 . 

Case 2: Correct output values make appearance in the sequence of r 1 , 6 1 and M 1 . 

Case 3 : Correct output values make appearance in the sequence of s 1 , M 1 and r 1 . 

Case 4: Correct output values make appearance in the sequence of M 1 . s 1 and r 1 . 

Case 5: Correct output values make appearance in the sequence of r t , M 1 and s v 

Case 6: Correct output values make appearance in the sequence of M 1 , r 1 and s 1 . 
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In the cases 1 and 2 mentioned above, the correct output values of St and make appearance in precedence with 
the correct value of the message M 1 making no appearance at a given time point in the course of the processing. Since 
b in the expression (3) represents the hash function, the correct output value of the tally Xj must make appearance in 
precedence to that of the tally h in the light of the "Lemma 1" stated previously. When the value of the tally x t is deter- 

ff mined the value of the tally y, assumes either one of two values ±0 because the term (X, , y t ) m the expression (2) rep- 
resents a point on the elliptic curve E. In correspondence to the value +p or «p of the tally y v the hash value e, which 
can satisfy the condition given by the expression (2) is Gmited to two different values. After the time point of concern, 
the message M 1 satisfying the condition given by the expression (4) so that the hash value e t assumes either one of 
the two value must be determined, which however contradicts to the fact that - H" in the expression (4) represents the 

w hash function. Accordingly, the situations corresponding to the Cases 1 and 2 can not take place. 

In the Cases 3 and 4 mentioned above, the correct output value of and the message M 1 make appearance in 
precedence with the correct value of the correct output value r, making no appearance at a given time point in the 
course of the processing. At this time point the hash value e A can be determined definitely in accordance with the 
expression (4). After this time point, the value of the tally r, satisfying the conditions given by the expressions (2) and 

75 (3) must be determined. However, it will never occur that the correct output value of the tally r t makes appearance at 
first, being followed by determination of the value for the coordinate x v This is because V in the expression (3) repre- 
sents the hash function. Besides, such case will not occur in which the correct output value of x, makes appearance in 
precedence and thereafter the value of r t is determined. Because, if otherwise, the discrete logarithm problem concern- 
ing the addition on the ellipse can be solved in conjunction with the expression (2), which contradicts the proposition 

20 stated hereinbefore. In other words, the value of ^ can not be determined at any time point. Thus, the situations corre- 
sponcfing to the Cases 3 and 4 can not occur. 

In the Cases 5 and 6 mentioned above, the correct output values of the tally r t and the message make appear- 
ance in precedence with the correct value of the tally s<i making no appearance at a given time point in the course of 
the processing. At this given time point, the hash value e 1 can be determined definitely in accordance with the expres- 

25 sion (4). After this time point, the value of the tally s } satisfying the conditions given by the expressions (2) and (3) must 
be determined. However, it will never occur that the correct output value of the tally s 1 makes appearance at first, being 
then followed by determination of the value for the coordinate x v This is because "h" in the expression (3) represents 
the hash function and the correct output value of x 1 can make appearance before the output value of r 1 is determined 
precedingiy. Besides, such case will not occur in which the correct output value of x 1 makes appearance in precedence 

30 and thereafter the value of s 1 is determined. Because, if otherwise, the expression (2) can be solved concerning the 
unknown , that is, the discrete logarithm problem concerning the addition on the ellipse can be solved, which contra- 
dicts however the proposition stated hereinbefore. In other words, the value of s 1 can not be determined at any time 
point. Thus, the situations corresponding to the Cases 5 and 6 can not occur. 

Thus, there occurs none of the situations corresponding to the Cases 1 to 6 mentioned previously. Thus, the algo- 

35 rithm AL 3 does not exist. 

Now, the demonstration is concluded. 

By the way, it should be noted that in conjunction with the demonstration of the Proposition 1 that the algorithm AL 3 
may exist unless the Proposition 1 that l n 2 / H applies valid. 

To say in another way, if the concfition t n <i H should hold true, there may arise such situation that the message M 1 
ao and the single digital signature (r v s<|) for which the single digital signature verifying algorithm AL^ outputs "authenti- 
cated" can be generated without knowing the private key & 

By way of example, let's suppose that in the computation "s ° k + d(r + e) (mod n) M , the value of l n is small and 
hence the value of n is small. Then, the collision-tree property of hash value £ = H(M) (mod n) may collapse, incurring 
such case where computation is performed such that the tally £ can assume a same value for messages M and M' not- 
as withstanding of the fact that the message M is not same as the message M\ i.e., M * M', as exemplified below. 

Let's suppose, by way of example, that the messages M and M' are written applications for purchasing a car. 
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Message M 

To FT J#&*GH Sales Company 

I will purchase the car A at 1,050,000 yens. 

To be signed bv Takaragi 



Message M' 

To IG#. Hy8(Jk) Sales Company 

I will purchase the car A at 2,050,000 yens. 

To be signed bv Takaragi 



Again suppose that the malicious sales company prepared the written application for purchase such as the mes- 
sage M and handed it over to Mr. Takaragi under the false pretense that the leading character string "FT J# * GH" is 
added for the purpose of ensuring security and that Mr. Tataragi signed the written application (message M) with pleas- 
ure because of low price of the car A. Later on, Mr. Takaragi receives a bill demanding payment of 2.050.000 yens 
together with the exhibit of the message M' affixed with his signature, to his great surprise. However, verification of the 
message M' shows that Mr. Tataragi has signed the written application or message M'. 

In order to exclude positively the injustice such as mentioned above, it is necessary that H represents the hash 
function which has not only the one-way property but also the cdlision-free property and that the parameter n relevant 
to the elliptic curve relation is assigned with a large value tor validating the condition that l n £ /h* 

It should be additionally mentioned in conjunction with the "Demonstration" described above that the hash function 
h may be only of the one-way property and need not necessarily have the collision-free property. However, in case the 
hash function h is not of the one-way property, the values which can satisfy the condition given by the expression (3) 
may be found by arithmetically determining a variety of values tor x by changing & and M while fixing t in the expression 
(2). The message M and the signature (s, r) found in this way may constitute forged message and signature. For this 
reason, it is necessarily required that the hash function h is of the one-way property. 

Moreover, according to the teaching of the invention, the length of the digital signature can be shortened. 

More specifically, the single digital signature , Sj) has a bit length equal to /„ + (e.g. 240 bits), and thus the 
length of the signature can be shortened when compared with the conventional signature length / n + l n (e.g. 320 bits). 
Furthermore, the length of the duple digital signature (r 1( r 2 , s?) is (/ n + t^fZ + I^IZ) bits (e.g. 320 bits), which is signif- 
icantly shorter than the length of the conventional signature / n + / n + /„ (e.g. 480 bits). 

Prpposition 2 

It is presumed that the discrete logarithm problem concerning the addition on the elliptic curve can not be solved. 
Additionally, it is assumed that the hash function H( • ) of t H bits has the collision-free property as well as the one-way 
property. Furthermore, it is presumed that the hash function h( • ) of trf2 bits has the one-way property as well. In that 
case, so long as t n zt Hl there exists no algorithm AL< which can output the duple digital signature (r, , r 2 , S2> for which 
the algorithm AL 2 outputs "authenticated" without knowing the private key d v 

Demonstration 

Now, it is supposed that such algorithm AU exists which generates the duple digital signature (r 1( r 2 , s^ for which 
the verification processing accortfing to the algorithm AL 2 outputs "authenticated" without knowing both the private key 
d! and the private key cfe. Namely, presumption is made as follows: 

Input to the processing AL4: 

system key (base point) P, and public keys Q 1 and Q 2 , and 
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Output from the processing AL*: 

messages M 1 and ty. duple digital signature (r 1( r 2 , 63), 

where the duple digital signature , r 2 , 62) satisfies the following conditions: 

6,-HtM-,) W 

e 2 «H(M 2 ) (5) 

(x 2 ,y 2 )«s 2 P-(ei+r,)Qi-(e 2 -Hi+r 2 )Q 2 (6) 

r 2 «h(x 2 ) (7) 

In the course of executing the processing accorcfing to the algorithm AL^ t the correct output values make appear- 
ance in either one of the sequences mentioned below: 

Case 1 : Correct output values make appearance in the sequence of $2, i\ and r 2 . 
Case 2: Correct Output values make appearance in the sequence of r 1 , S2 and r 2 . 
Case 3 : Correct output values make appearance in the sequence of r 2 and r<, . 
Case 4: Correct output values make appearance in the sequence of r 2 , &2 and r 1 . 
Case 5: Correct output values make appearance in the sequence of r 1( r 2 and $2. 
Case 6: Correct output values make appearance in the sequence of r 2 , r-i and $2- 

In conjunction with the Case 1 to 6 mentioned above, it is noted that the computation sequence that the correct out- 
put value of the tally r 2 is determined in accordance with the expression (7) only after the correct output value of the 
coordinate x has made appearance is common to all the Case 1 to 6. If otherwise, it contradicts the presumption that 
the hash function h is of the one-way property. 

Additionally, the computation sequence that the hash values e<i and 62 are determined in accordance with the 
expressions (4) and (5), respectively, only after the correct output values of the messages M 1 and M 2 have made 
appearance is also common to the all the aforementioned Cases 1 to 6. If otherwise, it contradicts the presumption that 
the hash function H is of the one-way property and collision-free. 

In the Cases 1 and 2, the correct output values of the tallies $2 and r 1 make appearance at first at a given time point 
in the course of executing the processing whereas the correct output value of the tally r 2 makes no appearance. After 
the above-mentioned given time point, the tally r 2 which satisfies the condition given by the expression (6) must be 
determined. In this conjunction, however, the following facts (a), (b) and (c) have to be taken into account. 

(a) Such situation does not occur in which the correct output value of the tally r 2 makes appearance finally after the 
appearance of the correct hash values e 1 and 62* More specifically, the computation sequence in this case will be 
such that the value of the coordinate x 2 is determined and then the tally r 2 determined. However, this means that 
the equation (6) can be solved with the tally r 2 as the unknown, which contradicts the presumption that the discrete 
logarithm problem on the elliptic curve is insolvable. 

(b) Such situation can not occur that the correct hash value 63 is outputted only after the appearance of the correct 
output values for the hash value e 1 and the tally r 2 , because, if otherwise, the equation (6) is solved with the hash 
value e 2 as the unknown, which contradicts the presumption that the discrete logarithm problem on the elliptic 
curve is insolvable. 

(c) Such situation can not occur that the correct output value for the hash value e 1 makes appearance only after 
the appearance of the correct output vdtages for the hash value 62 and the tally r 2 , because, H otherwise, the equa- 
tion (6) is solved with the hash value e2 as the unknown, which of course contradicts the presumption that the dis- 
crete logarithm problem on the elliptic curve is insolvable. 

In the Cases 3 and 4. the correct Output values of the tallies $2, r 2 and x 2 make appearance at first at a given time 
point in the course of executing the processing, whereas the correct output value of the tally r 2 makes no appearance. 
After the above-mentioned given time point, the tally rj which satisfies the condition given by the expression (6) must 
be determined. Such situation does not occur in which the correct output value of the tally r 1 makes appearance finally 
after the appearance of the correct hash values e 1 and e 2 . Supposing that the correct output value for the hash value 
e 2 makes appearance finally, then it follows: 

(i) If the private keys d 1 and d 2 are known, the expression (6) can be modified as follows: 



14 



EP 0 840 478 A2 



(x 2 , y 2 ) - {s 2 -d^e^^JP -(6^^2)02 (8) 

The above equation (8) is solvable with a taDy r t as the unknown, which of course contracficts the presumption that 
the discrete logarithm problem on the elliptic curve is insolvable. 
5 (ii) tf the private key is known with the private key d 1 being unknown, the expression (6) can be modified as fol- 
lows: 

(x 2 . y 2 ) - {s 2 -d2(e 2 +r 1+ r 2 )}P - (6,+r^Q, (9) 

10 The above equation (9) is solvable with the tally r<t as the unknown, which is in contradiction to the presumption that 
the discrete logarithm problem on the elliptic curve is solvable. 

(iii) When neither the private key 62 nor the private key d 1 is known, the equation (6) is solvable with the tally r 1 as 
the unknown, which is in contradiction to the presumed insdvabifity of the discrete logarithm problem on the elliptic 
curve. 

15 

In view of the foregoing, it can be concluded that the correct output value for the taDy ^ can not make appearance 
finally after the output of the correct hash values e 1 and 62. 

(b) Such situation can not occur that the correct output value for the hash value e 1 makes appearance only after 
20 the appearance of the correct output voltages for the hash value e 1 and the tally r 1 , because, if otherwise, the equa- 
tion (6) is solved with the hash value e 1 as the unknown, which of course contradicts the presumption that the dis- 
crete logarithm problem on the elliptic curve is insolvable. 

(c) Such situation can not occur that the correct output value for the hash value e t makes appearance only after 
the appearance of the correct output voltages for the hash value e 1 and the tally r 1f because, if otherwise, the equa- 
ls tion (6) is solved with the hash value 02 as the unknown, which of course contradicts the presumption that the dis- 
crete logarithm problem on the elliptic curve is insotvable. Thus. Gases 3 and 4 can not occur 

In the Cases 5 and 6, the correct output values of the tallies r 1t r 2 and x 2 make appearance at first at a given time 
point in the course of executing the processing whereas the correct output value of the tally &2 makes no appearance. 

30 After the above-mentioned given time point the tally s 2 which satisfies the condition given by the expression (6) must 
be determined. In this conjunction, however, the following fads (a), (b) and (c) have to be taken into account. However, 
in that case, (a) such situation does not occur in which the correct output value of the tally s 2 makes appearance finally 
after the appearance of the correct hash values e 1 and 62. Because, this means that the equation (6) can be solved with 
the tally s 2 as the unknown, which contradicts the presumption that the discrete logarithm problem on the elliptic curve 

35 is insotvable. Further, (b) such situation can not occur that the correct hash value e 2 is outputted only after the appear- 
ance of the correct output values for the hash value e 1 and the tally &2. because, if otherwise, the equation (6) is solved 
with the hash value e 2 as the unknown, which contradicts the presumption that the discrete logarithm problem on the 
elliptic curve is insolvable. Furthermore, (c) such situation can not occur that the correct output value for the hash value 
e 1 makes appearance only after the appearance of the correct output voltages for the hash value e 2 and the tally s^ 

40 because, if otherwise, the equation (6) is solved with the hash value e 1 as the unknown, which of course contradicts the 
presumption that the discrete logarithm problem on the elliptic curve is insolvable. Thus, Cases 5 and 6 can not occur. 

From the foregoing, it is concluded that none of the Cases 1 to 6 can occur and thus the algorithm AL4 does not 
exist 

Now, the demonstration is concluded. 
45 As will now be appreciated from the foregoing description, there have been provided a public key encryption 
method of high security and a system for carrying out the same. 

Further, with the public key encryption method and the system according to the invention, the length of the digital 
signature can be shortened. 

Additionally, according to the present invention, the public key encryption method and the system can be so real- 
50 ized that the length of the digital signature has no dependency on the length of the order of the base point (system key). 
Many features and advantages of the present invention are apparent from the detailed description and thus it is 
intended by the appended claims to cover all such features and advantages of the system which fail within the true spirit 
and scope of the invention. Further, since numerous modifications and combinations will readily occur to those skilled 
in the art, it is not intended to limit the invention to the exact construction and operation illustrated and described. 
ss Accordingly, all suitable modifications and equivalents may be resorted to, falling within the spirit and scope of the inven- 
tion. 
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Claims 

1. A digital signature generating method for generating a digital signature authenticating electronically a signature 
affixed to a given message (M) by resorting to a public key encryption scheme, comprising the steps of: 

determining for said message (M) a first hash value (e) satisfying a condition that e « H(M) by using a first hash 
function (H); 

determining for a numerical value (x) obtained from translation of a random number a second hash value (r) 
satisfying a condition that r « h(x) by using a second hash function (h) whose output value is shorter than that 
of said first hash function (H); and 

arithmetically determining and outputting said digital signature by using said first hash value (e) and said sec- 
ond hash value (r) as determined. 

2. A digital signature generating method according to daim 1 , 

wherein for generating a digital signature , Si) for a given message (Mj), said method comprises the steps 

of: 

determining a hash value (e-,) satisfying a condition that » H(M^) by using a first hash function (H); 
generating a random number (k<,); 

determining a point (R 1 (= ^P)) by multiplying a point (P) of an abelian group by said random number (k,); 

determining a first numerical value (r,) satisfying a condition that ^ = h(R^) by using the second hash function 

(h) whose output value is shorter than the output value of the first hash function (H); 

determining a second numerical value fa) satisfying a condition that &\ ■ k-i + di (e 1 + (mod n) by using the 

order (n) of said point (P) of said abelian group and a private key (dj); and 

outputting a set of said determined numerical values (r 1( Sj) as a digital signature. 

3. A digital signature generating method according to claim 1 , 

wherein said point (P) of said abelian group corresponds to a base point (P) on an elliptic curve. 

4. A digital signature verifying method for verifying a digital signature authenticating electronically a signature affixed 
to a given message (M) by resorting to a public key encryption scheme, comprising the steps of: 

determining for said message (M) a first hash value (e) satisfying a condition that e = H(M) by using a first hash 
function (H); 

determining for a numerical value (x) obtained from arithmetic operation of an inputted digital signature (r, s), 
a public key (Q) and a base point (P) a second hash value (0 satisfying a condition that f = h(x) from said first 
hash value (e). said digital signature (r, s), said base point (P) and said public key (Q) by using a second hash 
function (h) whose output value is shorter than that of said first hash function (H); and 
comparing said hash value (?) with a tally (r) of said inputted digital signature to thereby obtain a result of ver- 
ification of said inputted digital signature. 

5. A digital signature verifying method according to claim 4, 

wherein for verifying a digital signature (r 1 , s 1 ) of a given message (M 1 ), said method comprises the steps of: 

determining a hash value (e^ satisfying a condition that e t = HfM*,); 

inputting a public key (QO generated previously so as to satisfy a condition Q 1 = djP, where d 1 represents a 
private key, said public key (Q^ having been registered; 

determining arithmetically a point (RO of an abelian group, said point (R ^ being given by = s<|P - (e^ + 
ri)Qi; 

determining a hash value (r^ satisfying a condition that r{ = h(R,); 

outputting a data indicating that said digital signature is authenticated, when said hash value (r,*) coincides 
with a tally (r) of said digital signature; and 

outputting data indicating that said digital signature is not authenticated unless said hash value (r^) coincides 
with said tally (r^ of said digital signature. 

6. A digital signature verifying method according to claim 5. 

wherein said abelian group includes an elliptic curve. 
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A digital signature generating method for generating a multiple digital signature authenticating electronically signa- 
tures affixed to messages and/or comments (Mj) as created and/or added sequentially by N users i (where i = 1 

N) by using a public key encryption scheme, comprising the steps of: 

(a) determining for a given one of said messages (Mj) a first hash value (ej satisfying a condition that e; = H(Mj) 
by using a first hash function (H); (b) determining for a numerical value (xj obtained 
from translation of a random number a second hash value (rj satisfying a oondition that r f = h(xj) by using a 
second hash function (h) whose output value is shorter than that of said first hash function (H); 

(c) executing said computation steps (a) and (b) for each of said users i (where i « 1 N); and 

(d) determining arithmetically said multiple cfigital signatures on the basis of the hash values (3 and deter- 
mined in said execution step (c). 

A multiple digital signature generating method according to claim 7, 

wherein for generating said multiple cfigital signature by users i (i £ 2), said method comprises the steps of: 

inputting a set of numerical values (x^, Y^) obtained from translation of random numbers: 

computing a hash value e, « H(Mj) ; 

generating a random number k,; 

computing a point kjP = (x, y); 

computing a point (Xj, yjj = (x^, y M ) + (x t y); 

computing a hash value r { = h(Xj) ; 

determining by using a private key (dj) a tally (Sj) satisfying a oondition given by following expression: 



s, o s M + k f + d f (e, + £ r k) ( mod n ) : 



and 

outputting a set of numerical values (r 1t .... r jt Sj) as said multiple digital signature. 

A digital signature verifying method for verifying a multiple digital signature authenticating electronically signatures 

affixed to messages and/or comments (Mj) as created and/or added sequentially by N users i (where i = 1 N) 

by resorting to a public key encryption scheme, comprising the steps of: 

(a) determining for the inputted message (Mj) a first hash value (ej satisfying a condition that e; = H(Mj) by 
using a first hash function (H); 

(b) determining for a numerical value (xj obtained by arithmetic operation of an inputted multiple digital signa- 
ture (r } , Si), a public key (Q) and a base point (P), a second hash value {r{) satisfying a condition that r{ = h(Xj) 
on the basis of said first hash value (ej, said digital signature (r jr Sj), said base point (P) and said public key (Q) 
by using a second hash function (h) whose output value is shorter than that of said first hash function (H); 

(c) executing said steps (a) and (b) for each of said users i (where i represents integers T to "N" inclusive, 
respectively); and 

(d) comparing each of said hash values (r{) determined in said step (c) with each of tallies (r) of said inputted 
multiple digital signature to thereby obtain results of verification of said inputted digital signature. 

A multiple digital signature verifying method according to claim 7, 

wherein for generating a multiple digital signature by users j (i £ 2), said method comprises the steps of: 

inputting (i - 1) messages and/or comments (M 1f .... M M ) and (i • 1)-tuple digital signature (r, r M , s M ) 

issued by an immediately preceding user (i - 1): 

repeating computation of hash values e* » H(M^ f where h represents 1 to (i - 1); 

inputting repetrtionally public keys Q k generated so as to satisfy a condition that Q k = 4P and registered pre- 
viously, where k represents 1 to (i - 1); 
computing a point (R^) of an abelian group in accordance with 



17 



EP0840478A2 



*»1 M.I 

computing a hash value rVi ■ h(Rj.i) ; 

issuing data indicating "authenticated" when 6aid hash value (r^O coincides with a tally Om ) of said (i - 1 )-tuple 
digital signature (i.e., when r M ' - r M ) ; and 

issuing data indicating "not-authenticated" unless said hash value (r^ 1 ) coincides with said tally (r^Ki.e.. when 

1 1 . A digital signature verifying method according to claim 10. 

wherein said abelian group includes an elliptic curve. 

12. A digital signature generating system for generating a digital signature authenticating electronically a signature 
affixed to a given message (M) by resorting to a pifclic key encryption scheme, comprising: 

processing means for determining for said message (M) a first hash value (e) satisfying a condition that e = 
H(M) by using a first hash function (H) ; 

processing means for determining for a numerical value (x) obtained from translation of a random number a 
second hash value (r) satisfying a condition that r = h(x) by using a second hash function (h) whose output 
value is shorter than that of said first hash function (H); and 

arithmetic/output means for arithmetically determining and outputting said digital signature by using said first 
hash value (e) and said second hash value (r) as determined. 

13. A digital signature generating system according to daim 12, 

wherein for generating a digital signature (r,, s^ for a given message (M,), said system comprises: 

means tor determining a hash value (e,) satisfying a condition that e 1 ° H(M<|) by using the first hash function 
(H); 

means tor generating a random number (k-,); 

means for determining a point (Ri (*> ^P)) by multiplying a point (P) of the abelian group by said random 
number (k^; 

means tor determining a first numerical value (r^ satisfying a condition that r 1 « h(R t ) by using the second 

hash function (h) whose output value is shorter than that of 6aid first hash function (H); 

means for determining a second numerical value ($0 satisfying a condition that s<, - k t + d 1 (e 1 + rj) (mod n) 

by using order (n) of said point (P) of the abelian group and a private key (d<j); and 

means for outputting a set of said determined numerical values (r 1t s^) as a digital signature. 

14. A digital signature verifying system according to claim 13, 

wherein said abelian group corresponds to an elliptic curve 

1 5. A digital signature verifying system for verifying a digital signature authenticating electronically a signature affixed 
to a given message (M) by resorting to a public key encryption scheme, comprising: 

first arithmetic means for determining tor said given message (M) a first hash value (e) satisfying a condition 
that e = H(M) by using a first hash function (H); 

second arithmetic means coupled to said first arithmetic means tor determining for a numerical value (x) 
obtained from arithmetic operation of an inputted digital signature (r, s), a public key (Q) and a base point (P) 
a second hash value (r") satisfying a condition that r' « h(x) from said first hash value (e), said digital signature 
(r, s), said base point (P) and said public toy (Q) by using a second hash function (h) whose output value is 
shorter than that of said first hash function (H); and 

verification result output means coupled to said first and second arithmetic means for comparing said hash 
value (0 with a tally (r) of said inputted digital signature to thereby obtain a result of verification of said inputted 
digital signature. 

16. A digital signature verifying system according to claim 15, 

wherein for verifying a digital signature (^ , s,) of a given message (M<,), said system comprises: 



18 



EP0840478A2 



means for determining a hash value (e^ satisfying a concflion that e 1 ■ H(M t ); 

means for inputting a public key (Q^ generated previously so as to satisfy a condition Q, = d^, where d, rep- 
resents a private key, said public key (Q^ having been registered; 

means for determining arithmetically a point (R,) of an abelian group, said point (R,) being given by R, = s,P 
•(ei + r^Qt; 

means for determining a hash value (r^ satisfying a concfiton that « h(Ri); 

means for outputting a data indicating that said dgital signature is authenticated, when said hash value OY) 
coincides with a tally ft) of said digital signature; and 

means for outputting data indicating that said digital signature is not authenticated unless said hash value (r 1 ') 
coincides with said tally Oi) of said cfigrtal signature. 

17. A digital signature verifying system according to claim 16, 

wherein said abelian group includes an elliptic curve. 

18. A digital signature generating system for generating a multiple digital signature authenticating electronically signa- 
tures affixed to message and/or comments (Mi) as created and/or added sequentially by N users' units i (where i = 
1 N) by using a public key encryption scheme, comprising: 

first processing means for determining for a given one of said messages (Mj) a first hash value (6j) satisfying a 
condition that e ° H(Mj) by using a first hash function (H); 

second processing means for determining for a numerical value (xj obtained from translation of a random 
number a second hash value (rj) satisfying a condition that r f - h(xj by using a second hash function (h) whose 
Output value is shorter than that of said first hash function (H); 

third processing means for executing the processings of said first and second processing means for each of 
said users' units i (where i o 1 N); and 

arithmetic/output means for determining arithmetically said multiple digital signature on the basis of said hash 
values (6j and determined by said third processing means. 

1 9. A multiple digital signature generating system according to claim 18, 

wherein for generating said multiple digital signature, each of said users' units i (i £ 2) includes: 

means for inputting said set of numerical values (x^ , Y M ) obtained from the translation of random numbers; 
means for computing a hash value given by a, « H(M { ); 

means for generating a random number kj; means for confuting a point given by kjP » 

(x. y); 

means for computing a point given by (Xj. y$ « (x^, y M ) + (x, y); 
means for computing a hash value given by r\ ■ h(Xj) 

means for determining by using a private key (dj a numerical value (Sj) satisfying a condition given by 
s, * s M + *, + d, (e, + £ r k ) (mod n) ; 

and 

means for outputting a set of determined numerical values (r 1 r i( sj as the digital signature. 

20. A digital signature verifying system for verifying a multiple digital signature authenticating electronically signatures 
affixed to messages and/or comments (MJ as created and/or added sequentially by N users'6 unit i (where i = 1 , 
.... N) by resorting to a public key encryption scheme, comprising: 

first arithmetic means for determining for the inputted message (Mj) a first hash value (ej) satisfying a condition 
that e ; « H(Mj) by using a first hash function (H); 

second arithmetic means for determining for a numerical value (xj obtained by arithmetic operation of the 
inputted multiple digital signature (r j( sj. a public key (Q) and a base point (P), a second hash value (n*) satis- 
fying a condition that r- = h(xj on the basis of said first hash value (ej, said digital signature (r i( sj, said base 
point (?) and said public key (Q) by using a second hash function (h) whose output value is shorter than that 
of said first hash function (H); 
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processing means for executing repetrtonaBy the arithmetic operation of said first and second arithmetic 
means for each of said users* units] (where i represents integers Tto *N" inclusive, respectively) ; and 
verifying means for comparing each of said hash values (rtf determined by said processing means with each 
of tallies (r) of said inputted multiple tigrtaJ signature to thereby obtain results of verification of said inputted dig- 
ital signature. 

21 . A multiple digital signature verifying system according to claim 20, 

wherein tor authenticating a multiple digital signature by users' units i (i £ 2), each of said users' units 
includes: 

means for inputting fi - 1) messages and/br comments (Mj M M ) and (i - 1)-tuple digital signature (r, r t . 

v s h1 ) issued by an immediately preceding user's units (i - 1); 

means tor repeating computation of hash values e* - HftyJ, where fc represents 1 to (i - 1); 
means for inputting repetitionally public keys Q* generated so as to satisfy a condition that Q k = d k P and reg- 
istered previously where fe represents 1 to (i - 1); 
means for computing a point (R^) of an abelian group in accordance with 

M k 

K-1 Mm<\ 



means for computing hash values r M ' e h (R^); 

means for issuing data indicating that said multiple digital signature is authenticated when said hash value (r h 
0 coincides with a tally (r M ) of said (i - 1)-tuple digital signature (i.e., when r M * » r i _ 1 ), while issuing data indi- 
cating that said multiple digital signature is not-authenticated unless said hash value (r^*) coincides with said 
tally (r M )(i.e., whenr M '*r M ). 

22. A digital signature verifying system according to claim 21 , 

wherein said abelian group includes an elliptic curve. 

23. A computer-readable recording medium for storing a program which is composed of instructions executed by a 
computer and which is for carrying out a method for generating a digital signature authenticating electronically a 
signature affixed to a given message (M) by resorting to a public key encryption scheme, said digital signature gen- 
erating method comprising the steps of: 

determining for said message (M) a first hash value (e) satisfying a condition that e « H(M) by using a first hash 
function (H); 

determining for a numerical value (x) obtained from translation of a random number a second hash value (r) 
satisfying a condition that r » h(x) by using a second hash function (h) whose output value is shorter than that 
of said first hash function (H); and 

arithmetically determining and outputting said digital signature by using said first hash value (e) and said sec- 
ond hash value (r) as determined. 

24. A computer-readable recording medium for storing a program which is composed of instructions executed by a 
computer and which is for carrying out a method for verifying a digital signature authenticating electronically a sig- 
nature affixed to a given message (M) by resorting to a public key encryption scheme, said digital signature gener- 
ating method comprising the steps of: 

determining for a numerical value (x) obtained from arithmetic operation of an inputted digital signature (r, s), 
a public key (Q) and a base point (P), a second hash value (0 satisfying a condition that r* = h(x) on the basis 
of said first hash value (e), said digital signature (r, s), said base point (P) and said public key (Q) by using a 
second hash function (h) whose output value is shorter than that of said first hash function (H); and 
comparing said hash value (r*) with a tally (r) of said inputted digital signature to thereby obtain a result of ver- 
ification of said inputted digital signature. 

25. A method of generating and verifying a digital signature using a public key encryption scheme in a system in which 
a digital signature is generated by a given one computer and transmitted via a network to another computer to be 
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verified thereby, 

for generating a digital signature (r 1( Sj) tor a given message (M,) by said given one computer, 
determining a hash value (e^ satisfying a condition that e, - HfM,) by using a first hash function (H); 
generating a random number (k^; 

determining a point (Ri (- ^P)) by multiplying a point (?) of an abelian group by said random number (k^; 
determining a first numerical value (r^ satisfying a condition that ^ « hfR,) by using a second hash function 
(h) whose output value is shorter than that of said first hash function (H); 

determining a 6econd numerical value (Sj) satisfying a condition that s 1 - k, + d t (e, + r,) (mod n) on the basis 
of the order (n) of said point (P) of said abelian groip and a private key (dj); and 

sending a set of said determined numerical values (r 1( &,) as a digital signature to said another computer via 
said network; and 

for verifying said digital signature (r 1( s^ by said another computer, 

fetching said digital signature (r, , sent from said given one computer, a base point (P), a public key (Q) and 
order (n) from a public fBe; 

determining a hash value (eO satisfying a condition that e t = HiM,); 

inputting a public key (QO generated previously so as to satisfy a condition Q t ° diP, where di represents a 
private key; 

determining arithmetically a point (Rj) of an abefian groip, said point (R 0 being given by R : « s^ - (e, + 

ri)Qi: 

determining a hash value (r^ satisfying a concfition that r^ « hfR^; 

outputting a data indicating that said digital signature is authenticated, when said hash value (r^ coincides 
with a tally (r) of said digital signature; and 

outputting data indicating that said digital signature is not authenticated unless said hash value OV) coincides 
with said tally (r^ of said digital signature. 
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FIG. 2A 
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